Multilevel Authentication

ABSTRACT

In an exemplary embodiment, a system includes a memory operable to store a user account identifier associated with a user account and a mobile device identifier associated with a mobile device. The memory is also operable to store a first user credential and a second user credential, the second user credential, wherein the second user credential comprises user input data captured by a sensor. The system includes a network interface operable to receive a request to authenticate a requesting user. The system also includes a processor operable to determine information included in the request to facilitate authentication of the requesting user and whether the information included in the request matches the information associated with the user account. The processor is further operable to authenticate the requesting user if the request is associated with the user account and information included in the request matches the information associated with the user account.

TECHNICAL FIELD OF THE INVENTION

This invention relates generally to user authentication and, morespecifically, to a multilevel authentication system and process forfinancial transactions.

BACKGROUND OF THE INVENTION

Enterprises handle a large number of customer transactions on a dailybasis. New methods of conducting transactions become available astechnology advances. For some customers, it may be desirable to conducttransactions using a mobile device, such as a smart phone device.However, if a malicious user gains access to a customer's mobile device,the malicious user may be able to conduct transactions.

SUMMARY OF THE INVENTION

According to embodiments of the present disclosure, disadvantages andproblems associated with previous authentication systems may be reducedor eliminated.

In certain embodiments, a system includes a memory, a network interface,and a processor. The memory is operable to store a user accountidentifier associated with a user account, the user account associatedwith a user and store a mobile device identifier associated with amobile device and the user account. The memory is also operable to storea first user credential associated with the user account and store asecond user credential, the second user credential associated with theuser account, wherein the second user credential comprises user inputdata, the user input data captured by a sensor associated with themobile device. The network interface is operable to receive a request toauthenticate a requesting user. The processor is communicatively coupledto the memory and the network interface, the memory including executableinstructions that upon execution cause the system to determineinformation included in the request to facilitate authentication of therequesting user and determine whether the information included in therequest matches the information associated with the user account. Thememory also includes instructions that cause the system to authenticatethe requesting user if the request is associated with the user accountand information included in the request matches the informationassociated with the user account.

Particular embodiments of the present disclosure may provide some, none,or all of the following technical advantages. For example, certainembodiments can provide enhanced security for mobile transactions byrequiring two levels of authentication. In such embodiments, if amalicious user gains access to a mobile device of a user and correctlyguesses the user's user credentials, the malicious user may not be ableto complete a transaction due to a second level of authentication. Incertain embodiments, a user may be able to use a sensor of a mobiledevice to add a second level of authentication for enhanced security. Insuch embodiments, a user may be able to use the sensor to input physicaldata that is unique to the user, preventing the malicious user fromcompleting a transaction.

Certain embodiments of the present disclosure may include some, all, ornone of the above advantages. One or more other technical advantages maybe readily apparent to those skilled in the art from the figures,descriptions, and claims included herein.

BRIEF DESCRIPTION OF THE DRAWINGS

For a more complete understanding of the present disclosure and itsadvantages, reference is made to the following descriptions, taken inconjunction with the accompanying drawings in which:

FIG. 1 illustrates an example multilevel authentication system;

FIG. 2 illustrates an example method for multilevel authentication,which may be performed by the example system of FIG. 1 to authenticate auser, according to certain embodiments of the present disclosure;

FIG. 3 illustrates an example method for multilevel authentication,which may be performed by the example system of FIG. 1 to authenticate auser, according to certain embodiments of the present disclosure; and

FIG. 4 illustrates example multilevel authentication data, which may beutilized by the example system of FIG. 1 to authenticate a user,according to certain embodiments of the present disclosure.

DETAILED DESCRIPTION OF THE INVENTION

Certain embodiments of the present disclosure provide techniques forauthenticating a user using multilevel authentication. FIGS. 1 through 4below illustrate systems and methods for authenticating a user usingmultilevel authentication.

FIG. 1 illustrates an example multilevel authentication system 100,according to certain embodiments. In general, multilevel authenticationis used by enterprises, such as financial institutions, to authenticatea customer's financial transactions using a smart device. Multilevelauthentication may require a customer to use two methods ofauthentication before the customer is authorized for a particulartransaction. For example, the first level may be a password entered intothe customer's smart device and the second level may be a check for aparticular Bluetooth® device coupled to the smart device. In particular,multilevel authentication system comprises merchant environment 110 andenterprise environment 120.

Merchant environment 110 may be any environment where user 130 mayattempt to conduct a transaction that requires authentication. Incertain embodiments, merchant environment 110 may comprise mobiledevices 102, payment terminals 106, and network 140. Mobile device 102is a device operable to communicate wirelessly with network 140, paymentterminal 106, peripheral device 114, enterprise environment 120, or anyother suitable components of multilevel authentication system 100. Forexample, mobile device 102 may be a laptop computer, personal digitalassistant (PDA), cellular phone, tablet, portable media player, smartdevice, or any other device capable of wireless communication. Incertain embodiments, mobile device 102 may include one or moreprocessors, one or more memories, one or more displays, one or moreinterfaces, one or more components capable of inputting data, one ormore components capable of outputting data, one or more componentscapable of communicating with any other component of multilevelauthentication environment 100, or any other component suitable forparticular needs. According to certain embodiments, mobile device 102may include mobile device identifier 104. Mobile device identifier 104is a unique identifier for mobile device 102 that allows multilevelauthentication system 100 to differentiate a particular mobile device102 from a different mobile device 102. For example, mobile deviceidentifier 104 may be an alphanumeric string stored in a memory ofmobile device 102. In the illustrated example, mobile device 102 a mayinclude mobile device identifier 104 a and mobile device 102 b mayinclude mobile device identifier 104 b wherein mobile device identifier104 a is distinct from mobile device identifier 104 b. In certainembodiments, mobile device 102 may be operable to communicate withvarious components of multilevel authentication environment 100 via ashort range wireless communications protocol such as Bluetooth®, a nearfield communications (NFC) protocol, or a radio frequency identification(RFID) protocol.

In certain embodiments, mobile device 102 may include sensor 138. Sensor138 may be any combination of hardware, software, and/or firmware thatcan receive physical-based input from user 130 according to particularneeds. Sensor 138 may include various components of mobile device 102 orit may be specialized technology providing added functionality to mobiledevice 102. Sensor 138 may include biometric analysis components orsensor 138 may include other components capable of capturing physicalinput from user 130. Examples of physical input may include movement ofmobile device 102, vocal-recognition of user 130, retinal scanning ofuser 130, and/or fingerprint analysis of user 130. For example,according to some embodiments, sensor 138 may include one or moreaccelerometers and/or one or more gyroscopes capable of detecting themotion of mobile device 102 in a particular pattern. In such anembodiment, sensor 138 detects a particular movement of mobile device102 by user 130. An example of a particular movement is user 130 movingmobile device 102 downwards toward the floor then moving mobile device102 to the right of user 130, effectively “drawing” an “L shape” in theair with mobile device 102. In such an embodiment, mobile device 102and/or sensor 138 may be able to compare the input of user 130 to apreviously saved user 130 input to authenticate user 130.

Another example of sensor 138 may be ocular-based technology such as aretinal scanner. In such an embodiment, sensor 138 may be able toidentify user 130 based on a scan of one or both eyes of user 130. Inthe illustrated embodiment, mobile device 102 c may be able to identifyuser 130 c using sensor 138 c, which may include retinal scanningtechnology. For example, the retinal scanning technology may be softwareand/or firmware controlling a camera of user device 102 c, which is thenable to compare the retinal scan to a previous retinal scan toauthenticate user 130 c. As a further example, sensor 138 may be afingerprint scanner capable of identifying user 130 based on a scan ofthe fingerprint of user 130. For example, sensor 138 d may includesoftware and/or firmware to use an interactive display of mobile device130 d to receive a fingerprint input from user 130 d or sensor 138 d mayinclude dedicated hardware to receive a fingerprint input from user 130d. In certain embodiments, mobile device 102 and/or sensor 138 d may beable to compare the fingerprint input to a previous fingerprint inputfrom user 130 d to authenticate user 130 d.

According to certain embodiments, mobile device 102 may becommunicatively coupled to peripheral device 114. Generally, peripheraldevice 114 may be any device that may be communicatively coupled tomobile device 102. For example, peripheral device 114 may be a headset,a microphone, a mouse, a keyboard, a watch, a key fob, an authenticator,a security token, or any other device that may communicatively couple tomobile device 102. In certain embodiments, peripheral device 114 may beany combination of hardware, software, and/or firmware capable ofcommunicatively coupling to mobile device 102. Peripheral device 114 maybe issued to user 130 by an enterprise or peripheral device 114 may be aconsumer electronic device purchased by user 130 that providesadditional functionality to mobile device 102. In certain embodiments,various peripheral devices 114 may be associated with user 130 and/ormobile device 102. For example, user 130 may choose to couple aparticular peripheral device 114 to mobile device 102 based on a currentlocation of user 130. In such an embodiment, the second level ofauthentication for user 130 may vary based on a current location of user130. Multilevel authentication system 100 is capable of accommodating alarge variety and various combinations of peripheral devices 114.

Peripheral device 114 may include peripheral device identifier 116.Peripheral device identifier 116 is a unique identifier for peripheraldevice 114 that allows multilevel authentication system 100 todifferentiate a particular peripheral device 114 from a differentperipheral device 114. For example, peripheral device identifier 116 maybe an alphanumeric string stored in a memory of peripheral device 114.In the illustrated example, peripheral device 114 a may includeperipheral device identifier 116 a and peripheral device 114 b mayinclude peripheral device identifier 116 b wherein peripheral deviceidentifier 116 a is distinct from peripheral device identifier 116 b.

User 130 may be prompted to initiate a transaction at payment terminal106.

Generally, payment terminal 106 may be any device that can receive apayment method from user 130. For example, payment terminal 106 may be apoint-of-sale device in a store. Payment terminal 106 may be anycombination of hardware, software, and/or firmware capable of promptinguser 130 for a payment method for a particular transaction. In certainembodiments, payment terminal 106 may comprise processor 108 and memory112. Processor 108 may include one or more microprocessors, controllers,or any other suitable computing devices or resources. Processor 108 maywork, either alone or with components of multilevel authenticationsystem 100, to provide a portion or all of the functionality ofmultilevel authentication system 100 described herein. Processor 108communicatively couples to memory 112. Memory 112 may take the form ofvolatile or non-volatile memory including, without limitation, magneticmedia, optical media, random-access memory (RAM), read-only memory(ROM), removable media, or any other suitable memory component.

In certain embodiments, memory 112 may be internal or external toprocessor 108 and may include one or more instruction caches or one ormore data caches. Instructions in the instruction caches may be copiesof instructions in memory 112, and the instruction caches may speed upretrieval of those instructions by processor 108. Data in the datacaches may include any suitable combination of copies of data in memory112 for instructions executing at processor 108 to operate on, theresults of previous instructions executed at processor 108 for access bysubsequent instructions executing at processor 108, or for writing tomemory 112, and other suitable data. The data caches may speed up reador write operations by processor 108.

Generally, user 130 may be prompted for a payment at payment terminal106. User 130 may use mobile device 102 to make such a payment. Inparticular, payment terminal 106 may communicate message 122 to mobiledevice 102. Message 122 may comprise a request for a payment method. Inresponse to message 122, user 130 may input user credentials as a firstlevel of authentication. For example, user credentials may be the user'sname, a username, a password, an account name, a personal identificationnumber, a social security number, a credit card number, any combinationthereof, or any other information that can authenticate a user 130.Additionally, mobile device 102 may initiate a second level ofauthentication.

In certain embodiments, mobile device 102 may initiate a second level ofauthentication by communicating message 118 to peripheral device 114.Message 118 may comprise a request for peripheral device identifier 116.In response to message 118, mobile device 102 may access peripheraldevice identifier 116 of peripheral device 114. In certain embodiments,in response to message 122, payment terminal 106 may access mobiledevice identifier 104, peripheral device identifier 116, usercredentials entered by user 130 or the result of some function appliedto the user credentials, a unique identifier identifying user 130,and/or any other information that may be used by multilevelauthentication system 100 to authenticate user 130. In certainembodiments, payment terminal 106 may access information pertaining tothe communication protocol coupling peripheral device 114 to mobiledevice 102.

In the illustrated example, user 130 a may be prompted initially for apayment method at payment terminal 106 a. Payment terminal 106 a maycommunicate message 122 a to mobile device 102 a requesting a paymentmethod. In response to message 122 a, user 130 a may input usercredentials, such as a password, as a first level of authentication.Additionally, mobile device 102 a may initiate a second level ofauthentication by communicating message 118 a to peripheral device 114a. Message 118 a may comprise a request for peripheral device identifier116 a. In response to message 118 a, mobile device 102 a may accessperipheral device identifier 116 a of peripheral device 114 a. Incertain embodiments, in response to message 122 a, payment terminal 106a may access mobile device identifier 104 a, peripheral deviceidentifier 116 a, user credentials entered by user 130 a, a uniqueidentifier identifying user 130 a, and any other information that may beused by multilevel authentication system 100 a to authenticate user 130a.

As another example, user 130 b may be prompted initially for a paymentmethod at payment terminal 106 b. Payment terminal 106 b may communicatemessage 122 b to mobile device 102 b requesting a payment method. Inresponse to message 122 b, user 130 b may input user credentials, suchas a password, as a first level of authentication. Additionally, mobiledevice 102 b may initiate a second level of authentication bycommunicating message 118 b to peripheral device 114 b. Message 118 bmay comprise a request for peripheral device identifier 116 b. Inresponse to message 118 b, mobile device 102 b may access peripheraldevice identifier 116 b of peripheral device 114 b. In certainembodiments, in response to message 122 b, payment terminal 106 b mayaccess mobile device identifier 104 b, peripheral device identifier 116b, user credentials entered by user 130 b, a unique identifieridentifying user 130 b, and any other information that may be used bymultilevel authentication system 100 to authenticate user 130 b.

In certain embodiments, mobile device 102 may initiate a second level ofauthentication requesting input from user 130 via sensor 138. Forexample, mobile device 102 might use a display of mobile device 102 toinstruct user 130 to provide input to mobile device 102 using sensor138. In response to the prompt, user 130 may provide input to mobiledevice 102 using sensor 138. In certain embodiments, in response tomessage 122, payment terminal 106 may access mobile device identifier104, user credentials entered by user 130, a unique identifieridentifying user 130, information about the input of user 130 usingsensor 138, and/or any other information that may be used by multilevelauthentication system 100 to authenticate user 130.

In the illustrated example, mobile device 102 c may initiate a secondlevel of authentication requesting input from user 130 c via sensor 138c. Mobile device 102 c might use a display of mobile device 102 c toinstruct user 130 c to provide input to mobile device 102 c using sensor138 c, which may be capable of conducting a retinal scan. In response tothe prompt, user 130 c may provide input to mobile device 102 c usingsensor 138 c by placing his or her eyes in position for scanning. Incertain embodiments, in response to message 122 c, payment terminal 106c may access mobile device identifier 104 c, user credentials entered byuser 130 c, a unique identifier identifying user 130 c, informationabout the input of user 130 c using sensor 138 c, and/or any otherinformation that may be used by multilevel authentication system 100 toauthenticate user 130 c.

As another example, mobile device 102 d may initiate a second level ofauthentication requesting input from user 130 d via sensor 138 d. Mobiledevice 102 d might use a display of mobile device 102 d to instruct user130 d to provide input to mobile device 102 d using sensor 138 d, whichmay be a fingerprint scanner. In response to the prompt, user 130 d mayprovide input to mobile device 102 d using sensor 138 d by placing afinger in an appropriate position for scanning. In certain embodiments,in response to message 122 d, payment terminal 106 d may access mobiledevice identifier 104 d, user credentials entered by user 130 d, aunique identifier identifying user 130 d, information about the input ofuser 130 d using sensor 138 d, and/or any other information that may beused by multilevel authentication system 100 to authenticate user 130 d.

Payment terminal 106 may communicate the information accessed frommobile device 102 to authentication module 150 via message 124. Inaddition to the information accessed from mobile device 102, message 124may comprise a request to authenticate user 130. In certain embodiments,message 124 may be communicated to authentication module 150 via network140. For example, payment terminal 106 a may communicate message 124 a,payment terminal 106 b may communicate message 124 b, payment terminal106 c may communicate message 124 c, and payment terminal 106 d maycommunicate message 124 d. Alternatively, mobile device 102 maycommunicate the same information in message 126 to authentication module150 via network 140. For example mobile device 102 a may communicatemessage 126 a, mobile device 102 b may communicate message 126 b, mobiledevice 102 c may communicate message 126 c, and mobile device 102 d maycommunicate message 126 d.

Network 140 facilitates wireless or wireline communication. Network 140may communicate, for example, IP packets, Frame Relay frames,Asynchronous Transfer Mode cells, voice, video, data, and other suitableinformation between network addresses. Network 140 may include one ormore personal area networks (PANs), local area networks (LANs), awireless LAN (WLAN), a virtual private network (VPN), radio accessnetworks (RANs), metropolitan area networks (MANs), wide area networks(WANs), mobile networks (e.g., using WiMax (802.16), WiFi (802.11), 3G,or any other suitable wireless technologies in any suitablecombination), all or a portion of the global computer network known asthe Internet, an extranet, a satellite network, and/or any othercommunication system or systems at one or more locations, any of whichmay be any suitable combination of wireless and wireline.

Generally, enterprise environment 120 comprises authentication module150. Authentication module 150 may authenticate a particular user 130.In certain embodiments, authentication module 150 may include processor132 and memory 134. Processor 132 may include one or moremicroprocessors, controllers, or any other suitable computing devices orresources. Processor 132 may work, either alone or with components ofmultilevel authentication system 100, to provide a portion or all of thefunctionality of multilevel authentication system 100 described herein.Processor 132 communicatively couples to memory 134. Memory 134 may takethe form of volatile or non-volatile memory including, withoutlimitation, magnetic media, optical media, RAM, ROM, removable media, orany other suitable memory component.

In certain embodiments, memory 134 may be internal or external toprocessor 132 and may include one or more instruction caches or one ormore data caches. Instructions in the instruction caches may be copiesof instructions in memory 134, and the instruction caches may speed upretrieval of those instructions by processor 132. Data in the datacaches may include any suitable combination of copies of data in memory134 for instructions executing at processor 132 to operate on, theresults of previous instructions executed at processor 132 for access bysubsequent instructions executing at processor 132, or for writing tomemory 134, and other suitable data. The data caches may speed up reador write operations by processor 132.

Authentication module 150 may authenticate user 130 according to any oneof a variety of embodiments as required by particular needs. A fewexample embodiments for authenticating user 130 are disclosed in thefollowing paragraphs. Particularly, in response to message 124,authentication module 150 utilizes processor 132 and memory 134 toinitiate the authentication of user 130. Using the information includedin message 124, authentication module 150 may retrieve a particular useraccount 136 from user accounts 136. For example, authentication module150 may use the unique identifier of user 130 to retrieve a particularuser account 136. In certain embodiments, user accounts 136 may bestored in memory 134. In certain embodiments user accounts 136 may bestored in one or more text files, tables in a relational database, orany other suitable data structure capable of storing information. Eachuser account 136 may be associated with a user 130. In certainembodiments, user account 136 may contain information thatauthentication module 150 may use to compare against the informationincluded in message 124. For example, user account 136 may include aunique identifier for user 130, mobile device identifier 104, peripheraldevice identifier 116, an identifier for sensor 138, user input fromsensor 138, authorization preferences for user 130, user credentials ora result of some function applied to user credentials, and/or any otherinformation useful for authenticating user 130.

Authentication module 150 may compare the user credentials included inmessage 124 against the user credentials contained in the particularuser account 136. If the user credentials of message 124 do not matchthe user credentials included in the particular user account 136,authentication module 150 may communicate message 142 over network 140to payment terminal 106 and/or mobile device 102. Message 142 maycontain an indication that authentication of user 130 has failed. Itshould be understood when a user credential is discussed in anyparticular embodiment, the user credential may be the actual usercredential or it may be a result of some function(s) applied to the usercredential. Multilevel authentication system 100 is capable of storing,accessing, communicating, comparing, and/or processing user credentials(and derivatives thereof) in any suitable format according to particularneeds. For example, authentication module 150 may compare the actualuser credentials or authentication module 150 may compare a hash valueof the user credentials in the particular user account 136 with a hashvalue of the user credentials included in message 124.

Authentication module 150 may also compare mobile device identifier 104included in message 124 with mobile device identifier 104 of useraccount 136. If mobile device identifier 104 included in message 124does not match mobile device identifier 104 included in user account136, authentication module 150 may communicate message 142 over network140 to payment terminal 106 and/or mobile device 102. Message 142 maycontain an indication that authentication of user 130 has failed.

In certain embodiments, authentication module 150 may compare peripheraldevice identifier 104 included in message 124 to peripheral deviceidentifier 104 included in user account 136. If peripheral deviceidentifier 116 included in message 124 does not match peripheral deviceidentifier 116 included in user account 136, authentication module 150may communicate message 142 over network 140 to payment terminal 106and/or mobile device 102. Message 142 may contain an indication thatauthentication of user 130 has failed. This may be because theparticular peripheral device 114 that is associated with user account136 is not coupled to mobile device 102.

In certain embodiments, if user credentials of message 124 match theuser credentials contained in the particular user account 136, mobiledevice identifier 104 of message 124 matches mobile device identifier104 of the particular user account 136, and peripheral device identifier116 of message 124 matches peripheral device identifier 116 of theparticular user account 136, then authentication module 150 maydetermine user 130 is authenticated. Authentication module 150 maycommunicate message 142 to mobile device 102 and/or payment terminal 106indicating that user 130 is authenticated. Once user 130 isauthenticated, then user 130 may proceed with the current transaction.

According to certain embodiments, message 124 may contain a result ofthe comparison between the input of user 130 into sensor 138 of mobiledevice 102 to a previously saved user 130 input into sensor 138 ofmobile device 102. The result of the comparison may be that the twoinputs match or are similar enough to verify user 130 or that the twoinputs do match or are not similar enough to verify user 130 or anyother suitable result of a comparison between the two inputs accordingto particular needs. In such embodiments, if user credentials of message124 match the user credentials contained in the particular user account136, mobile device identifier 104 of message 124 matches mobile deviceidentifier 104 of the particular user account 136, and the result of theuser input comparison verifies user 130, then authentication module 150may determine user 130 is authenticated. Authentication module 150 maycommunicate message 142 to mobile device 102 and/or payment terminal 106indicating that user 130 is authenticated. Once user 130 isauthenticated, then user 130 may proceed with the current transaction.

In certain embodiments, user account 136 may include previously saveduser 130 input into sensor 138 of mobile device 102. In suchembodiments, message 124 may contain the input of user 130 into sensor138 of mobile device 102. The input of user 130 into sensor 138 may bein any suitable format according to particular needs. Authenticationmodule 150 may compare the input of user 130 included in message 124against the previously saved user 130 input into sensor 138 of mobiledevice 102. If the two inputs do not match or are not similar enough toverify user 130, then authentication module 150 may communicate message142 over network 140 to payment terminal 106 and/or mobile device 102.Message 142 may contain an indication that authentication of user 130has failed. If user credentials of message 124 match the usercredentials contained in the particular user account 136, mobile deviceidentifier 104 of message 124 matches mobile device identifier 104 ofthe particular user account 136, and the two user inputs match or aresimilar enough to verify user 130, then authentication module 150 maydetermine user 130 is authenticated. Authentication module 150 maycommunicate message 142 to mobile device 102 and/or payment terminal 106indicating that user 130 is authenticated. Once user 130 isauthenticated, then user 130 may proceed with the current transaction.

Any component of multilevel authentication system 100 may include aninterface, logic, memory, and other suitable elements. An interfacereceives input, sends output, processes the input and/or output and/orperforms other suitable operations. An interface may comprise hardwareand/or software. Logic performs the operation of the component, forexample, logic executes instructions to generate output from input.Logic may include hardware, software, and/or other logic. Logic may beencoded in one or more non-transitory media, such as a computer-readablemedium or any other suitable tangible medium, and may perform operationswhen executed by a computer. Certain logic, such as a processor, maymanage the operation of a component. Examples of a processor include oneor more computers, one or more microprocessors, one or moreapplications, and/or other logic. Any suitable logic may perform thefunctions of multilevel authentication system 100.

Certain embodiments of the present disclosure may provide some, none, orall of the following technical advantages. For example, certainembodiments can provide enhanced security for mobile transactions byrequiring two levels of authentication. In such embodiments, if amalicious user gains access to mobile device 102 of user 130 andcorrectly guesses user credentials of user 130, the malicious user maynot be able to complete a transaction due to a second level ofauthentication. In certain embodiments, user 130 may be able to useperipheral device 114 to add a second level of authentication forenhanced security. In such embodiments, user 130 may be able to useperipheral device 114 to add functionality to mobile device 102 otherthan security. According to certain embodiments, sensor 138 may providea second level of authentication that is based on a uniquecharacteristic of user 130. In such embodiments, security is enhancedbecause a malicious user may possess user credentials and mobile device102 of user 130, but not the unique characteristics of user 130 requiredto authenticate user 130.

FIG. 2 illustrates an example multilevel authentication method to beperformed by the example system 100 of FIG. 1 according to certainembodiments of a present disclosure. The method may be implemented inany suitable combination of software, firmware, and hardware. Althoughparticular components may be identified as performing particular steps,the present disclosure contemplates any suitable components performingthe steps according to particular needs.

At step 200, user 130 may attempt a transaction at payment terminal 106.For example, user 130 may initiate a purchase at payment terminal 106.User 130 may be prompted for a payment at payment terminal 106. User 130may use mobile device 102 to make such a payment. In certainembodiments, payment terminal 106 may communicate message 122 to mobiledevice 102. Message 122 may comprise a request for a payment method. Atstep 202, in response to message 122, user 130 may input usercredentials as a first level of authentication. For example, usercredentials may be the user's name, a username, a password, an accountname, a personal identification number, a social security number, acredit card number, any combination thereof, or any other informationthat can authenticate a user 130.

At step 204, multilevel authentication system 100 may determine whetherthe user credentials entered by user 130 into mobile device 102 arecorrect. The validity of the user credentials may be determined atmobile device 102, sales terminal 106, authentication module 150, or anyother suitable component of multilevel authentication system 100. If theuser credentials are incorrect, then the example method may return tostep 202. If the user credentials are correct, then the example methodmay proceed to step 206.

At step 206, multilevel authentication system 100 may determine whetherperipheral device 114 is coupled to mobile device 102. For example,mobile device 102 may determine whether peripheral device 114, such as aBluetooth® device, is coupled to mobile device 102. If peripheral device114 is not coupled to mobile device 102, then the example method mayproceed to step 208. If multilevel authentication system 100 determinesperipheral device 114 is coupled to mobile device 102, then the examplemethod may proceed to step 210.

At step 208, user 130 is denied authorization and the example method mayproceed to step 218. At step 218, multilevel authentication system 100may query user 130 to determine if user 130 desires to retry thecoupling of peripheral device 114. If user 130 decides to retry thecoupling of peripheral device 114, the example method may proceed tostep 206. Otherwise, the example method may conclude.

At step 210, payment terminal 106 may access mobile device identifier104, peripheral device identifier 116, user credentials entered by user130, a unique identifier identifying user 130, and/or any otherinformation that may be used by multilevel authentication system 100 toauthenticate user 130. In certain embodiments, payment terminal 106 mayaccess information pertaining to the communication protocol couplingperipheral device 114 to mobile device 102. Payment terminal 106 maycommunicate the information accessed from mobile device 102 toauthentication module 150 via message 124. In addition to theinformation accessed from mobile device 102, message 124 may comprise arequest to authenticate user 130. In certain embodiments, message 124may be communicated to authentication module 150 via network 140.Alternatively, mobile device 102 may communicate the same information inmessage 126 to authentication module 150 via network 140. The examplemethod may then proceed to step 212.

At step 212, in response to message 124, authentication module 150facilitates communication between processor 132 and memory 134 toinitiate the authentication of user 130. Using the information includedin message 124, authentication module 150 may retrieve a particular useraccount 136 from user accounts 136. For example, authentication module150 may use the unique identifier of user 130 to retrieve a particularuser account 136. According to some embodiments, user accounts 136 maybe stored in memory 134. In some embodiments, user accounts 136 may bestored in one or more text files, tables in a relational database, orany other suitable data structure capable of storing information. Eachuser account 136 may be associated with a user 130. User account 136 maycontain information that authentication module 150 may use to compareagainst the information included in message 124. For example, useraccount 136 may include a unique identifier for user 130, mobile deviceidentifier 104, peripheral device identifier 116, an identifier forsensor 138, user input from sensor 138, authorization preferences foruser 130, user credentials, and/or any other information useful forauthenticating user 130. Authentication module 150 may compare mobiledevice identifier 104 included in message 124 with mobile deviceidentifier 104 of user account 136. If mobile device identifier 104included in message 124 does not match mobile device identifier 104included in user account 136, authentication module 150 may denyauthentication of user 130 and the example method may proceed to step202. If mobile device identifier 104 included in message 124 matchesmobile device identifier 104 included in user account 136, the examplemethod may proceed to step 214.

At step 214, authentication module 150 may compare peripheral deviceidentifier 116 included in message 124 to peripheral device identifier116 included in user account 136. If peripheral device identifier 116included in message 124 does not match peripheral device identifier 116included in user account 136, authentication module 150 may proceed tostep 208. If peripheral device identifier 116 included in message 124matches peripheral device identifier 116 c included in user account 136,the example method may proceed to step 216. At step 216, authenticationmodule 150 may communicate message 142 to mobile device 102 and/orpayment terminal 106 indicating that user 130 is authenticated. Onceuser 130 is authenticated, then user 130 may proceed with the currenttransaction.

FIG. 3 illustrates an example multilevel authentication method to beperformed by the example system 100 of FIG. 1 according to certainembodiments of a present disclosure. The method may be implemented inany suitable combination of software, firmware, and hardware. Althoughparticular components may be identified as performing particular steps,the present disclosure contemplates any suitable components performingthe steps according to particular needs.

At step 300, user 130 may attempt a transaction at payment terminal 106.For example, user 130 may initiate a purchase at payment terminal 106.User 130 may be prompted for a payment at payment terminal 106. User 130may use mobile device 102 to make such a payment. Payment terminal 106may communicate message 122 to mobile device 102. Message 122 maycomprise a request for a payment method. At step 302, in response tomessage 122, user 130 may input user credentials as a first level ofauthentication. For example, user credentials may be the user's name, ausername, a password, an account name, a personal identification number,a social security number, a credit card number, any combination thereof,or any other information that can authenticate a user 130.

At step 304, multilevel authentication system 100 may determine whetherthe user credentials entered by user 130 into mobile device 102 arecorrect. The validity of the user credentials may be determined atmobile device 102, sales terminal 106, authentication module 150, or anyother suitable component of multilevel authentication system 100. If theuser credentials are incorrect, then the example method may return tostep 302. If the user credentials are correct, then the example methodmay proceed to step 306.

At step 306, multilevel authentication system 100 may determine whetherinput from user 130 has been received by sensor 138 of mobile device102. If no input has been received by sensor 138, then the examplemethod may proceed to step 308. If multilevel authentication system 100determines that sensor 138 received input from user 130, then theexample method may proceed to step 310.

At step 308, user 130 is denied authorization and the example method mayproceed to step 318. At step 318, multilevel authentication system 100may query user 130 to determine if user 130 desires to retry enteringinput into sensor 138 of mobile device 102. If user 130 decides to retryentering input into sensor 138 of mobile device 102, the example methodmay proceed to step 306. Otherwise, the example method may conclude.

At step 310, payment terminal 106 may access mobile device identifier104, user credentials entered by user 130, a unique identifieridentifying user 130, information about the input of user 130 usingsensor 138, and/or any other information that may be used by multilevelauthentication system 100 to authenticate user 130. According to someembodiments, payment terminal 106 may communicate the informationaccessed from mobile device 102 to authentication module 150 via message124. In addition to the information accessed from mobile device 102,message 124 may comprise a request to authenticate user 130. In certainembodiments, message 124 may be communicated to authentication module150 via network 140. Alternatively, mobile device 102 may communicatethe same information in message 126 to authentication module 150 vianetwork 140. The example method may then proceed to step 312.

At step 312, in response to message 124, authentication module 150facilitates communication between processor 132 and memory 134 toinitiate the authentication of user 130. Using the information includedin message 124, authentication module 150 may retrieve a particular useraccount 136 from user accounts 136. For example, authentication modulemay use the unique identifier of user 130 to retrieve a particular useraccount 136. In certain embodiments, user accounts 136 may be stored inmemory 134. User accounts 136 may be stored in one or more text files,tables in a relational database, or any other suitable data structurecapable of storing information. Each user account 136 may be associatedwith a user 130. User account 136 may contain information thatauthentication module 150 may use to compare against the informationincluded in message 124. For example, user account 136 may include aunique identifier for user 130, mobile device identifier 104, peripheraldevice identifier 116, an identifier for sensor 138, user input fromsensor 138, authorization preferences for user 130, user credentials,and/or any other information useful for authenticating user 130.Authentication module 150 may compare mobile device identifier 104included in message 124 with mobile device identifier 104 of useraccount 136. If mobile device identifier 104 included in message 124does not match mobile device identifier 104 included in user account136, authentication module 150 may deny authentication of user 130 andthe example method may proceed to step 302. If mobile device identifier104 included in message 124 matches mobile device identifier 104included in user account 136, the example method may proceed to step314.

At step 314, user account 136 may include previously saved user 130input into sensor 138 of mobile device 102. In such embodiments, message124 may contain the input of user 130 into sensor 138 of mobile device102. The input of user 130 into sensor 138 may be in any suitable formataccording to particular needs. Authentication module 150 may compare theinput of user 130 included in message 124 against the previous saveduser 130 input into sensor 138 of mobile device 102. If the two inputsdo not match or are not similar enough to verify user 130, then theexample method may proceed to step 308. If the two user inputs match orare similar enough to verify user 130, then the example method mayproceed to step 316. At step 316, authentication module 150 maycommunicate message 142 to mobile device 102 and/or payment terminal 106indicating that user 130 is authenticated. Once user 130 isauthenticated, then user 130 may proceed with the current transaction.

FIG. 4 illustrates example multilevel authentication data, which may beutilized by the example system of FIG. 1 to authenticate a user,according to certain embodiments of the present disclosure. An exampledata set of FIG. 4 is multilevel authentication data 400, whichrepresents multilevel authentication data stored for various users 130and used by authentication module 150 to authenticate users 130. Itshould be understood that multilevel authentication data 400 is providedfor example purposes only. The example multilevel authentication data400 will be described with reference to example multilevelauthentication system 100. Multilevel authentication data 400 isdepicted as having a tabular structure for illustrative purposes only.Multilevel authentication data 400 can be stored in a text file, a tablein a relational database, a spreadsheet, a hash table, a linked list, orany other suitable data structure capable of storing information. Eachentry in multilevel authentication data 400 may or may not be assigned aunique identifier. It should be noted that although only clear textvalues readable by humans are shown in multilevel authentication data400, multilevel authentication system 100 is capable of accommodating avariety of formatted data values including encrypted data values forincreased security. In certain embodiments, multilevel authenticationdata 400 may be stored as part of accounts 136 in memory 134.

Generally, multilevel authentication data 400 contains various detailsabout users 130 that authentication module 150 may use to authenticateuser 130. For example, multilevel authentication data 400 may containuser identifier 402, mobile device identifier 404, authentication deviceidentifier 406, authorization preferences 408, and user credentials 410.Records 412 are example entries of multilevel authentication data 400.In some embodiments, each record 412 corresponds to a particular user130. In other embodiments, a particular user 130 may have multiplecorresponding records 412 representing a variety of multilevelauthentication options. Although four records 412 are illustrated,multilevel authentication data 400 may contain as many or as few records412 required to fulfill particular needs. Similarly, although only fivedata elements, depicted in the current example as columns, are shown inmultilevel authentication data 400, multilevel authentication data 400may contain as many or as few data elements as required to fulfillparticular needs.

User identifier 402 may represent a unique identifier of a particularuser 130. For example, user identifier 402 may be a number, a string ofalphabetical characters, a string of alphanumeric characters, or anyother data type capable of identifying a particular user 130. In theillustrated example, user identifier 402 is an integer. For example,record 412 a is associated with a particular user 130 with useridentifier 402 of “001,” record 412 b is associated with a particularuser 130 with user identifier 402 of “002,” record 412 c is associatedwith a particular user 130 with user identifier 402 of “003,” and record412 d is associated with a particular user 130 with user identifier 402of “004.”

Mobile device identifier 404 may represent a unique identifier of aparticular mobile device 102. For example, mobile device identifier 404may be a number, a string of alphabetical characters, a string ofalphanumeric characters, or any other data type capable of identifying aparticular mobile device 102. In certain embodiments, mobile deviceidentifier 404 of a particular mobile device 102 may correspond tomobile device identifier 104 of the particular mobile device 102. In theillustrated example, mobile device identifier 404 is an integer. Forexample, record 412 a is associated with a particular mobile device 102with mobile device identifier 404 of “2423,” record 412 b is associatedwith a particular mobile device 102 with mobile device identifier 404 of“1255,” record 412 c is associated with a particular mobile device 102with mobile device identifier 404 of “4422,” and record 412 d isassociated with a particular mobile device 102 with mobile deviceidentifier 404 of “4221.”

Authentication device identifier 406 may represent a unique identifierof a particular authentication device. For example, authenticationdevice identifier 406 may correspond to peripheral device identifier 116or an identifier associated with sensor 138 of mobile device 102.Authentication device identifier 406 may be a number, a string ofalphabetical characters, a string of alphanumeric characters, or anyother data type capable of identifying a particular authenticationdevice. In the illustrated example, authentication device identifier 406is an integer. For example, record 412 a is associated with anauthentication device identifier 406 of “56554,” record 412 b isassociated with an authentication device identifier 406 of “76433,”record 412 c is associated with an authentication device identifier 406of “84433,” and record 412 d is associated with an authentication deviceidentifier 406 of “92323.”

Authorization preferences 408 may represent information regarding themultilevel authentication preferences of user 130. For example,authorization preferences 408 may contain information about peripheraldevice 114, sensor 138, previously stored input from user 130 intosensor 138, required input from sensor 138, and/or any other informationthat would be suitable for multilevel authentication according toparticular needs. Authorization preferences 408 may be stored in anydata format or data structure suitable for particular needs. In theillustrated example, authorization preferences 408 are stored in ahuman-readable clear text format for illustrative purposes. For example,record 412 a includes authorization preferences 408 of “BLUETOOTH FOB,”which may provide information regarding peripheral device 114 tomultilevel authentication system 100 such as peripheral device 114 maybe a security device issued by an enterprise. Record 412 b includesauthorization preferences 408 of “BLUETOOTH HEADSET,” which may provideinformation regarding peripheral device 114 to multilevel authenticationsystem 100 such as peripheral device 114 may be a consumer electronicdevice. Record 412 c includes authorization preferences 408 of “RETINALSCAN,” which may provide information about sensor 138 to multilevelauthentication system 100. In this example, “RETINAL SCAN” may signifythat sensor 138 of mobile device 102 is capable of conducting a retinalscan of user 130. In certain embodiments, authorization preferences 408may include data previously inputted into sensor 138, signifying acorrect retinal scan, by user 130 that multilevel authentication system100 may compare against when authenticating user 130. Record 412 dincludes authorization preferences 408 of “ACCELEROMETER L-SHAPE,” whichmay provide information about sensor 138 to multilevel authenticationsystem 100. In this example, “ACCELEROMETER L-SHAPE” may signify thatsensor 138 of mobile device 102 is capable of functioning as amotion-detecting accelerometer and that user 130 must “wave” mobiledevice 102 in an “L” shape to be authenticated. In certain embodiments,authorization preferences 408 may include data previously inputted intosensor 138, signifying a correct movement of mobile device 102, by user130 that multilevel authentication system 100 may compare against whenauthenticating user 130.

User credentials 410 may represent a correct user credential that user130 may enter to gain a first level of authentication. For example, usercredentials 410 may be the user's name, a username, a password, anaccount name, a personal identification number, a social securitynumber, a credit card number, any combination thereof, or any otherinformation that can authenticate a user 130. Multilevel authenticationsystem 100 may compare an entered user credential against usercredentials 410 to determine if user 130 passes a first level ofauthentication. In the illustrated example, record 412 a includes usercredentials 410 of “HOUSTON,” record 412 b includes user credentials 410of “password1,” record 412 c includes user credentials 410 of“12345678,” and record 414 d includes user credentials 410 of“OklahOma.”

Although the present disclosure describes or illustrates particularoperations as occurring in a particular order, the present disclosurecontemplates any suitable operations occurring in any suitable order.Moreover, the present disclosure contemplates any suitable operationsbeing repeated one or more times in any suitable order. Although thepresent disclosure describes or illustrates particular operations asoccurring in sequence, the present disclosure contemplates any suitableoperations occurring at substantially the same time, where appropriate.Any suitable operation or sequence of operations described orillustrated herein may be interrupted, suspended, or otherwisecontrolled by another process, such as an operating system or kernel,where appropriate. The acts can operate in an operating systemenvironment or as stand-alone routines occupying all or a substantialpart of the system processing.

Although the present disclosure has been described with severalembodiments, diverse changes, substitutions, variations, alterations,and modifications may be suggested to one skilled in the art, and it isintended that the disclosure encompass all such changes, substitutions,variations, alterations, and modifications as fall within the spirit andscope of the appended claims.

1. An authentication system comprising: a memory operable to: store auser account identifier associated with a user account, the user accountassociated with a user; store a mobile device identifier associated witha mobile device and the user account; store a first user credentialassociated with the user account; and store a second user credential,the second user credential associated with the user account, wherein thesecond user credential comprises user input data, the user input datacaptured by a sensor associated with the mobile device; a networkinterface operable to receive a request to authenticate a requestinguser; and a processor communicatively coupled to the memory and thenetwork interface, the memory including executable instructions thatupon execution cause the system to: determine information included inthe request to facilitate authentication of the requesting user;determine whether the information included in the request matches theinformation associated with the user account; and authenticate therequesting user if the request is associated with the user account andinformation included in the request matches the information associatedwith the user account.
 2. The system of claim 1, wherein the requestcomprises: a requesting user account identifier; a requesting mobiledevice identifier, the requesting mobile device identifier associatedwith a requesting mobile device; a first requesting user credential; anda second requesting user credential, the second requesting usercredential comprising requesting user input data, the requesting userinput data captured by a requesting sensor associated with therequesting mobile device.
 3. The system of claim 2, wherein determiningwhether information included in the request matches the informationassociated with the user account comprises: determining whether therequesting user account identifier matches the user account identifier;determining whether the requesting mobile device identifier matches themobile device identifier; determining whether the first requesting usercredential matches the first user credential; and determining whetherthe second requesting user credential matches the second usercredential.
 4. The system of claim 1, wherein the sensor is a selectedone of the following: a retinal scanner; a fingerprint scanner; a motionsensor; or a vocal sensor.
 5. The system of claim 1, wherein the sensoris a biometric device.
 6. The system of claim 1, wherein the sensor isoperable to detect a movement of the mobile device according to aspatial pattern.
 7. The system of claim 1, wherein the user input datais a selected one of the following: retinal scan data of the user;fingerprint scan data of the user; movement data of the mobile device;or vocal data of the user.
 8. The system of claim 1, wherein the seconduser credential is associated with a geographical location of the mobiledevice.
 9. An authentication method, comprising: storing a user accountidentifier associated with a user account, the user account associatedwith a user; storing a mobile device identifier associated with a mobiledevice and the user account; storing a first user credential associatedwith the user account; and storing a second user credential, the seconduser credential associated with the user account, wherein the seconduser credential comprises user input data, the user input data capturedby a sensor associated with the mobile device; receiving a request toauthenticate a requesting user; determining, by a processor, informationincluded in the request to facilitate authentication of the requestinguser; determining, by the processor, whether the information included inthe request matches the information associated with the user account;and authenticating, by the processor, the requesting user if the requestis associated with the user account and information included in therequest matches the information associated with the user account. 10.The method of claim 9, wherein the request comprises: a requesting useraccount identifier; a requesting mobile device identifier, therequesting mobile device identifier associated with a requesting mobiledevice; a first requesting user credential; and a second requesting usercredential, the second requesting user credential comprising requestinguser input data, the requesting user input data captured by a requestingsensor associated with the requesting mobile device.
 11. The method ofclaim 10, wherein determining whether information included in therequest matches the information associated with the user accountcomprises: determining whether the requesting user account identifiermatches the user account identifier; determining whether the requestingmobile device identifier matches the mobile device identifier;determining whether the first requesting user credential matches thefirst user credential; and determining whether the second requestinguser credential matches the second user credential.
 12. The method ofclaim 9, wherein the sensor is a selected one of the following: aretinal scanner; a fingerprint scanner; a motion sensor; or a vocalsensor.
 13. The method of claim 9, wherein the sensor is a biometricdevice.
 14. The method of claim 9, wherein the sensor is operable todetect a movement of the mobile device according to a spatial pattern.15. The method of claim 9, wherein the user input data is a selected oneof the following: retinal scan data of the user; fingerprint scan dataof the user; movement data of the mobile device; or vocal data of theuser.
 16. The method of claim 9, wherein the second user credential isassociated with a geographical location of the mobile device.
 17. Anauthentication system comprising: a memory operable to: store a useraccount identifier associated with a user account, the user accountassociated with a user; store a mobile device identifier associated witha mobile device and the user account; store a first user credentialassociated with the user account; and store a second user credential,the second user credential associated with the user account, wherein thesecond user credential comprises user input data, the user input datacaptured by a sensor associated with the mobile device; a networkinterface operable to receive a request to authenticate a requestinguser, wherein the request comprises: a requesting user accountidentifier; a requesting mobile device identifier, the requesting mobiledevice identifier associated with a requesting mobile device; a firstrequesting user credential; and a second requesting user credential, thesecond requesting user credential comprising requesting user input data,the requesting user input data captured by a requesting sensorassociated with the requesting mobile device; and a processorcommunicatively coupled to the memory, the memory including executableinstructions that upon execution cause the system to: compare therequesting user account identifier to the user account identifier;compare the requesting mobile device identifier to the mobile deviceidentifier; compare the first requesting user credential to the firstuser credential; compare the second requesting user credential to thesecond user credential; and authenticate the requesting user if therequesting user account identifier matches the user account identifier,the requesting mobile device identifier matches the mobile deviceidentifier the first requesting user credential matches the first usercredential, and the second requesting user credential matches the seconduser credential.
 18. The system of claim 17, wherein the sensor is aselected one of the following: a retinal scanner; a fingerprint scanner;a motion sensor; or a vocal sensor.
 19. The system of claim 17, whereinthe sensor is a biometric device.
 20. The system of claim 17, whereinthe sensor is operable to detect a movement of the mobile deviceaccording to a spatial pattern.
 21. The system of claim 17, wherein theuser input data is a selected one of the following: retinal scan data ofthe user; fingerprint scan data of the user; movement data of the mobiledevice; or vocal data of the user.
 22. The system of claim 17, whereinthe second user credential is associated with a geographical location ofthe mobile device.